moby/profiles at af819bf623a8d414289b24f9817c6317cf3f96d5 - beenull/moby

History

Tudor Brindus af819bf623 seccomp: add support for Landlock syscalls in default policy This commit allows the Landlock[0] system calls in the default seccomp policy. Landlock was introduced in kernel 5.13, to fill the gap that inspecting filepaths passed as arguments to filesystem system calls is not really possible with pure `seccomp` (unless involving `ptrace`). Allowing Landlock by default fits in with allowing `seccomp` for containerized applications to voluntarily restrict their access rights to files within the container. [0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html Signed-off-by: Tudor Brindus <me@tbrindus.ca>	2022-01-31 08:44:04 -05:00
..
apparmor	refactor: move from io/ioutil to io and os package	2021-08-27 14:56:57 +08:00
seccomp	seccomp: add support for Landlock syscalls in default policy	2022-01-31 08:44:04 -05:00

Tudor Brindus af819bf623 seccomp: add support for Landlock syscalls in default policy

This commit allows the Landlock[0] system calls in the default seccomp
policy.

Landlock was introduced in kernel 5.13, to fill the gap that inspecting
filepaths passed as arguments to filesystem system calls is not really
possible with pure `seccomp` (unless involving `ptrace`).

Allowing Landlock by default fits in with allowing `seccomp` for
containerized applications to voluntarily restrict their access rights
to files within the container.

[0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html

Signed-off-by: Tudor Brindus <me@tbrindus.ca>

2022-01-31 08:44:04 -05:00

apparmor

refactor: move from io/ioutil to io and os package

2021-08-27 14:56:57 +08:00

seccomp

seccomp: add support for Landlock syscalls in default policy

2022-01-31 08:44:04 -05:00